Sneak Attack! Blob Bombs; A Tech support scam that locks up your system.

Denial of service attacks (DoS) have been around for quite a while and will continue to be a bothersome presence for the forseeable future. In part DoS attacks are popular because they are relatively simple to accomplish. The attacker isn’t required to hack secure systems or subvert encryption algorithms. They only need to instigate an action that causes the target system to become so busy that it is unable to fulfill its legitimate user requests.

DDoS (Distributed Denial of Service) methods involve getting multiple systems to make erroneous requests to a service until it can no longer answer its real users. These types of attacks have been responsible for taking down services like Google and Facebook on multiple occasions throughout the last few years and have gained notoriety in the process.

DoS attacks are less flashy and generally only effective against one system at a time. However they are now being combined with social engineering in new type of scam. Tech support scamming has been around for a while; you go to a web page and get a pop-up that says you need to call 1-800-FIX-MEUP because your computer has something terribly wrong with it.

A classic Tech Support Scam

These were effective at first, but they’ve been around for so long now that most people just close their browser and start over; being more careful not to type the wrong address or avoid the link that led them to the bad page. Occasionally you have to go as far as clearing your browser’s cache to keep the pop-up from recurring. This means the scammers need to do something different to get users to turn over control of their systems, passwords, and personal information.

Enter Blob Bombs. In short, a blob bomb is a technique in which nefarious characters code a web page in such a way that it causes your browser to download a small file over and over again. It performs the repetitive download so rapidly that your system can do nothing else and appears to be locked up. At the same time the page pops up a tech support scam like the one pictured above; the exact scam page will probably vary. The hope is the notion that something is really wrong will be more convincing since your system will appear to be hung when the message is presented. Social engineering at its finest. If you’re interested in the details of the method itself, the malwarebytes blog has published a full technical analyisis.

The current round of Blob Bombs are targeting the Chrome browser’s window.navigator.msSaveOrOpenBlob API. If you think you’re safe from this because you run Linux or Mac you should reconsider your position. The same technique will work on their browser APIs with just a slight modification to the landing page. It will also be possible to craft the landing pages to work with other browsers. I suspect this is going to be a wide-spread issue in the near future.

What do you do if you fall victim to this DoS scam? The first thing to try is to launch your task manager or application monitor software and forcibly close your browser (end its task). If your system is so busy that it can not open the task manager you can power off by holding down the power button until your computer shuts off, then turn it back on. Once you’ve gotten your browser shut down, use its menu options to clear its cache (temporary files) it will be full of the downloads. The downloaded files are blobs or unassociated raw data and shouldn’t pose a threat themselves but they do take up room on your hard drive. If this happens to you on your company system you should contact their tech support immediately and let them know what’s happened. I also suggest that you run a full virus and malware scan.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s